Winning at the SECTF

About a year or so ago when Social-Engineer ran a poll asking the public who they thought would be better as a Social-Engineer, this is how the public voted. Women won hands down. We set out to see if that was true with the first ever Men Vs Women SECTF at Def Con 20 – where the men dominated!

Def Con 21 was approaching and there was a cry from the camp of the women to let them defend their “title” – So the second ever SECTF Gender competition was born and this one proved to be a battle!

The women not only won, but they dominated. We asked the winner of the SECTF, Lilly, to write her account of what it was like joining, reporting and then calling for her first ever social engineering attempt. Join us and Lilly on her journey…..

The Initial SECTF Shock

When I opened the email revealing the company selected for me to SE, I expected a challenge – but maybe not this one. I was given a company known for its culture of strict secrecy and privacy – applicants sign an NDA even before they are allowed to begin the interview process. There are even reports of employees getting fired for saying anything openly about the company. Of course I had trepidation about how much success I’d have in finding information online, and especially getting it out of employees.

In my profession as a researcher of topics spanning cyber and computer security, intelligence and digital exhaust, I’m used to digging through massive amounts of material to find nuggets of relevant information, and picking through sources to determine accuracy and veracity. Having never participated in a Social Engineering competition and having no previous contact with this company, I knew that a few weeks of information gathering and 20 minutes of phone calls to meet the goals and get the flags would be a challenge.

But I kept on reminding myself that there is always information out there, and there is always a way in.

Lessons Learned from the SECTF

A few things I discovered from the experience:

1. It’s not enough to just know tools; you need to know what you’re looking for or you’ll find yourself flailing.

During the information gathering stage, armed with a list of tools, information gathering websites, and my experiences, I set about trying to discover information relevant to this task: determine security holes or awareness gaps in the open source information readily available online. But what exactly does that mean? The task for this competition called for information on specific flags and achievement of particular goals. My problem solver / mathematician side pulled me in many directions and down multiple rabbit holes – I wanted to ensure I found as many flags as possible leaving no virtual stone unturned. I ended up “binning” the information I found, helping me edit my searches to the more relevant information. With several bins of information, I was able to piece together a story relevant to the contest objectives of flag gathering and pretext development.

2. Many acting principles can be applied to Social Engineering.

My game plan was to be an insider to gain trust and to lower the target’s guard in order to get as many flags as possible, with several backup pretexts in case this didn’t end up going well. One thing that helped me stay flexible and ready to adapt to whatever might be thrown at me was my background in theater and improv.

It’s all about the other person. The other person (scene partner in theater, target in social engineering) is the most important, and should have your focus.

“Yes, and”. This is the most fundamental principle in improv [2, 3, 4]. “Yes, and” means to agree with whatever the other person says (or does, or is), and then further that on. Applying this to SE essentially means getting to and remaining on the same page as the target, and encouraging or doing whatever possible to continue the openness and information flow.

Prepare to fail (and failing is okay!). This is especially true in improvised situations, where neither party knows what is going to happen. In context of SE we can think of possible pushback and worst case scenarios, and prepare possible responses. If it doesn’t go the way we wanted or thought it would, we learn from that, pick ourselves up, and try something new.

Flexibility and adaptability is key. Although there may be a “script” of how we want things to go, we can reasonably assume that Murphy’s law will go into effect, and the off-the-wall and unexpected will happen.

3. It’s possible to Social Engineer yourself into being confident.

In order to be the best insider I could be, I wanted to have a solid cover story, and feel physically prepared.

During the information gathering stage, I researched the person I planned to “become” in my pretext. This research on my cover, or pretext, had nothing to do with the target or the flags I needed to get, but rather with me being confident and comfortable in the booth.

Right before I entered the booth, I “Power Posed” for a few minutes to decrease my cortisol levels (the hormone released in response to stress) and increase my testosterone levels (the hormone correlated with dominance and self-confidence) – thereby tricking (or SE-ing) myself into being more confident and ready to make the phone calls.

What Does This Prove?

Does this win (finally) prove that women are better social engineers?

Women cleaned up this year, getting both 1st and 2nd place (WooHoo!). Was this because we somehow stepped up our game? Or because we had different contestants we were going up against, or a whole new set of companies to go after? Or just that we were more prepared to represent at DEFCON? This contest explored one aspect of information gathering, and one type of social engineering given specific goals and flags. We weren’t going after personal or financial information, or any particular intellectual property of a company. And we were only contacting the company via phone, not in person or over email. I think there are too many variables to give a definitive answer.

Regardless of who might be the “better” gender, it is awesome to see more women getting involved in social engineering and doing as well – or better – than the men. Teams find more success given a diverse and versatile makeup of the team members. This is no different for social engineering. In the male-dominated IT, pentesting, and computer security fields, we should encourage more diversity and inclusion of women – especially in social engineering. It will mean more success for everyone.